diff options
Diffstat (limited to 'package/firewall/files/old')
| -rw-r--r-- | package/firewall/files/old/firewall.awk | 50 | ||||
| -rw-r--r-- | package/firewall/files/old/firewall.config | 48 | ||||
| -rwxr-xr-x | package/firewall/files/old/firewall.init | 142 | ||||
| -rw-r--r-- | package/firewall/files/old/firewall.user | 30 |
4 files changed, 270 insertions, 0 deletions
diff --git a/package/firewall/files/old/firewall.awk b/package/firewall/files/old/firewall.awk new file mode 100644 index 000000000..31dbae0f3 --- /dev/null +++ b/package/firewall/files/old/firewall.awk @@ -0,0 +1,50 @@ +# Copyright (C) 2006 OpenWrt.org + +BEGIN { + FS=":" +} + +($1 == "accept") || ($1 == "drop") || ($1 == "forward") { + delete _opt + str2data($2) + if ((_l["proto"] == "") && (_l["sport"] _l["dport"] != "")) { + _opt[0] = " -p tcp" + _opt[1] = " -p udp" + } else { + _opt[0] = "" + } +} + +($1 == "accept") { + target = " -j ACCEPT" + for (o in _opt) { + print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target + print "iptables -A input_wan " _opt[o] str2ipt($2) target + print "" + } +} + +($1 == "drop") { + for (o in _opt) { + print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) " -j DROP" + print "" + } +} + +($1 == "forward") { + target = " -j DNAT --to " $3 + fwopts = "" + if ($4 != "") { + if ((_l["proto"] == "tcp") || (_l["proto"] == "udp") || (_l["proto"] == "")) { + if (_l["proto"] != "") fwopts = " -p " _l["proto"] + fwopts = fwopts " --dport " $4 + target = target ":" $4 + } + else fwopts = "" + } + for (o in _opt) { + print "iptables -t nat -A prerouting_wan" _opt[o] str2ipt($2) target + print "iptables -A forwarding_wan " _opt[o] " -d " $3 fwopts " -j ACCEPT" + print "" + } +} diff --git a/package/firewall/files/old/firewall.config b/package/firewall/files/old/firewall.config new file mode 100644 index 000000000..1b92954c9 --- /dev/null +++ b/package/firewall/files/old/firewall.config @@ -0,0 +1,48 @@ +# Copyright (C) 2006 OpenWrt.org + +# RULE SYNTAX: +# +# forward:<match>:<target>[:<port>] +# - forwards all packets matched by <match> to <target>, +# optionally changing the port to <port> +# +# accept:<match> +# - accepts all traffic matched by <match> +# +# drop:<match> +# - drops all traffic matched by <match> +# +# +# MATCHING OPTIONS: +# +# src=<ip> +# - match the source ip <ip> +# +# dest=<ip> +# - match the destination ip <ip> +# +# proto=<proto> +# - match the protocol by name or number +# +# sport=<port(s)> +# - match the source port(s), see below for syntax +# +# dport=<port(s)> +# - match the destination port(s), see below for syntax +# +# +# +# PORT SYNTAX: +# +# You can enter an arbitrary list of ports and port ranges in the following format: +# - 22,53,993,1000-1024 +# +# If you don't set the protocol to tcp or udp, it will apply to both +# +# +# +# EXAMPLES: +# +# drop:dport=22 src=1.3.3.7 +# accept:proto=tcp dport=22 +# forward:dport=60168:192.168.1.2:60169 diff --git a/package/firewall/files/old/firewall.init b/package/firewall/files/old/firewall.init new file mode 100755 index 000000000..0da97f836 --- /dev/null +++ b/package/firewall/files/old/firewall.init @@ -0,0 +1,142 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2006 OpenWrt.org + +## Please make changes in /etc/firewall.user +START=45 +start() { + include /lib/network + scan_interfaces + + config_get WAN wan ifname + config_get WANDEV wan device + config_get LAN lan ifname + config_get_bool NAT_LAN lan nat 1 + if [ $NAT_LAN -ne 0 ] + then + config_get LAN_MASK lan netmask + config_get LAN_IP lan ipaddr + LAN_NET=$(/bin/ipcalc.sh $LAN_IP $LAN_MASK | grep NETWORK | cut -d= -f2) + fi + + ## CLEAR TABLES + for T in filter nat; do + iptables -t $T -F + iptables -t $T -X + done + + iptables -N input_rule + iptables -N input_wan + iptables -N output_rule + iptables -N forwarding_rule + iptables -N forwarding_wan + + iptables -t nat -N NEW + iptables -t nat -N prerouting_rule + iptables -t nat -N prerouting_wan + iptables -t nat -N postrouting_rule + + iptables -N LAN_ACCEPT + [ -z "$WAN" ] || iptables -A LAN_ACCEPT -i "$WAN" -j RETURN + [ -z "$WANDEV" -o "$WANDEV" = "$WAN" ] || iptables -A LAN_ACCEPT -i "$WANDEV" -j RETURN + iptables -A LAN_ACCEPT -j ACCEPT + + ### INPUT + ### (connections with the router as destination) + + # base case + iptables -P INPUT DROP + iptables -A INPUT -m state --state INVALID -j DROP + iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j DROP + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A INPUT -j input_rule + [ -z "$WAN" ] || iptables -A INPUT -i $WAN -j input_wan + + # allow + iptables -A INPUT -j LAN_ACCEPT # allow from lan/wifi interfaces + iptables -A INPUT -p icmp -j ACCEPT # allow ICMP + iptables -A INPUT -p gre -j ACCEPT # allow GRE + + # reject (what to do with anything not allowed earlier) + iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable + + ### OUTPUT + ### (connections with the router as source) + + # base case + iptables -P OUTPUT DROP + iptables -A OUTPUT -m state --state INVALID -j DROP + iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A OUTPUT -j output_rule + + # allow + iptables -A OUTPUT -j ACCEPT #allow everything out + + # reject (what to do with anything not allowed earlier) + iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset + iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable + + ### FORWARDING + ### (connections routed through the router) + + # base case + iptables -P FORWARD DROP + iptables -A FORWARD -m state --state INVALID -j DROP + iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu + iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT + + # + # insert accept rule or to jump to new accept-check table here + # + iptables -A FORWARD -j forwarding_rule + [ -z "$WAN" ] || iptables -A FORWARD -i $WAN -j forwarding_wan + + # allow + iptables -A FORWARD -i $LAN -o $LAN -j ACCEPT + [ -z "$WAN" ] || iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT + + # reject (what to do with anything not allowed earlier) + # uses the default -P DROP + + ### MASQ + iptables -t nat -A PREROUTING -m state --state NEW -p tcp -j NEW + iptables -t nat -A PREROUTING -j prerouting_rule + [ -z "$WAN" ] || iptables -t nat -A PREROUTING -i "$WAN" -j prerouting_wan + iptables -t nat -A POSTROUTING -j postrouting_rule + ### Only LAN, unless told not to + if [ $NAT_LAN -ne 0 ] + then + [ -z "$WAN" ] || iptables -t nat -A POSTROUTING --src $LAN_NET/$LAN_MASK -o $WAN -j MASQUERADE + fi + + iptables -t nat -A NEW -m limit --limit 50 --limit-burst 100 -j RETURN && \ + iptables -t nat -A NEW -j DROP + + ## USER RULES + [ -f /etc/firewall.user ] && . /etc/firewall.user + [ -n "$WAN" -a -e /etc/firewall.config ] && { + export WAN + awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/firewall.config | ash + } +} + +stop() { + iptables -P INPUT ACCEPT + iptables -P OUTPUT ACCEPT + iptables -P FORWARD ACCEPT + iptables -F + iptables -X + iptables -t nat -P PREROUTING ACCEPT + iptables -t nat -P POSTROUTING ACCEPT + iptables -t nat -P OUTPUT ACCEPT + iptables -t nat -F + iptables -t nat -X +} diff --git a/package/firewall/files/old/firewall.user b/package/firewall/files/old/firewall.user new file mode 100644 index 000000000..f4eb18ef7 --- /dev/null +++ b/package/firewall/files/old/firewall.user @@ -0,0 +1,30 @@ +#!/bin/sh +# Copyright (C) 2006 OpenWrt.org + +iptables -F input_rule +iptables -F output_rule +iptables -F forwarding_rule +iptables -t nat -F prerouting_rule +iptables -t nat -F postrouting_rule + +# The following chains are for traffic directed at the IP of the +# WAN interface + +iptables -F input_wan +iptables -F forwarding_wan +iptables -t nat -F prerouting_wan + +### Open port to WAN +## -- This allows port 22 to be answered by (dropbear on) the router +# iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT +# iptables -A input_wan -p tcp --dport 22 -j ACCEPT + +### Port forwarding +## -- This forwards port 8080 on the WAN to port 80 on 192.168.1.2 +# iptables -t nat -A prerouting_wan -p tcp --dport 8080 -j DNAT --to 192.168.1.2:80 +# iptables -A forwarding_wan -p tcp --dport 80 -d 192.168.1.2 -j ACCEPT + +### DMZ +## -- Connections to ports not handled above will be forwarded to 192.168.1.2 +# iptables -t nat -A prerouting_wan -j DNAT --to 192.168.1.2 +# iptables -A forwarding_wan -d 192.168.1.2 -j ACCEPT |